Re: TLS on disconnected/intermittently connected networks

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 04 March 2021 22:01 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB433A1797 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 14:01:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHsfg8oXRz9C for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 14:01:53 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04043A1792 for <ietf@ietf.org>; Thu, 4 Mar 2021 14:01:53 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E7139C6E6E; Thu, 4 Mar 2021 17:01:51 -0500 (EST)
Date: Thu, 4 Mar 2021 17:01:51 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: TLS on disconnected/intermittently connected networks
Message-ID: <YEFYz75nFhpfVTpy@straasha.imrryr.org>
Reply-To: ietf@ietf.org
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <3f4db10c-dd92-354b-4fc9-6f14f4383454@network-heretics.com> <809967EB-F315-48D9-A301-73DFA4212FDE@dukhovni.org> <f9ad3bdd-3768-8c5f-a98c-73249f9a5ac3@network-heretics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <f9ad3bdd-3768-8c5f-a98c-73249f9a5ac3@network-heretics.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/aB2GCGYzna85UdXQ6hLYptQaMFI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 22:01:55 -0000

On Thu, Mar 04, 2021 at 02:59:47PM -0500, Keith Moore wrote:

> > TLS without DNS name checks and/or without any hierarchical PKI
> > is directly supported by OpenSSL.
> 
> Yes I know.  But people need web browsers that can do this.  And there's 
> still a need to thwart active attacks in such environments.
> 
> IOW it's not only TLS and X.509 that are needed, but a stack (including 
> browser) that can use these without needing DNS or external connectivity.

Since unlike various sorts of industrial equipment, ... browsers
presumably run on a mainstream OS (BSD, Linux, MacOS, Windows, ...), you
can always MiTM the browser with "stunnel" or fancier proxy, making all
connections to names that resolve to "127.0.0.1", and the proxy making
a connection to a downstream server based on the SNI name.

The proxy can authenticate the target servers via some appropriate
mechanism, but present SNI-based certs acceptable to the browser.

    https://www.envoyproxy.io/docs/envoy/latest/intro/intro

-- 
    Viktor.